[jira] Updated: (WAGONSSH-12) wagon-ssh is vulnerable to man in the middle attacks

Mon, 12 Sep 2005 21:40:06 -0700 

     [ http://jira.codehaus.org/browse/WAGONSSH-12?page=all ]

Juan F. Codagnone updated WAGONSSH-12:
--------------------------------------

    Attachment: WAGON-SSH-12.diff


here is a patch

  I tried to keep all the things pretty configurable. You can chosse what to do 
with the incoming host key:
    * ignore it like till now
    * take the connection only if the key is known
    * ask the user if the host is not know.

There are  3 implementations for known keys providers: (take a look to the xdoc)
    * hardcoded in configuration (could used in the settings xml)
    * null (provides nothing)
    *  ~/.ssh/known_hosts file (or similar in another location)

And there are two implementatios to ask the user for aceptance of a new key 
(Console and Null).

I think is flexible enought to cover all reasonable scenarios.

The default configuration is pretty safe (i didn't want the constructor to have 
arguments to make it easier work with maven-1.1) :  ~/.ssh/known_host provider 
with a null fallback, and a ask console policy. (hey! i've been using it in m1 
with MAVEN-1686)

All the polices can be injected with setters (i hope pluxus to be a type 2 IoC 
container)

Regards,
   Juan.

ps. don't hesitate to ask anything or mark problems or coding style issues.
ps1. i don't know how i will configure this in M2 yet.


> wagon-ssh is vulnerable to man in the middle attacks
> ----------------------------------------------------
>
>          Key: WAGONSSH-12
>          URL: http://jira.codehaus.org/browse/WAGONSSH-12
>      Project: wagon-ssh
>         Type: Bug
>     Reporter: Juan F. Codagnone
>     Priority: Critical
>  Attachments: WAGON-SSH-12.diff
>
>
> There is no way to handle known hosts/fingerprints in wagon-ssh.
> ¡Encryption without knowing who you are talking with has no fun!
> i will try to provide a patch

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to